e51a8d6374
The method being changed constructs domain-related parameters that will further be passed to the auth plugin. If project domain is not passed, the method sets it to the default domain. token_endpoint does not expect any information about domain, because it uses only a token and URL. Passing it to auth plugin causes an exception. Construct domain-related parameters only for specific plugins, such as password or totp. Change-Id: I13db3bbe31a0ed843e9f4528d37c768546e2bee9 Closes-Bug: 1642301
263 lines
10 KiB
Python
263 lines
10 KiB
Python
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
|
|
"""OpenStackConfig subclass for argument compatibility"""
|
|
|
|
import logging
|
|
|
|
from os_client_config import config
|
|
from os_client_config import exceptions as occ_exceptions
|
|
from oslo_utils import strutils
|
|
import six
|
|
|
|
|
|
LOG = logging.getLogger(__name__)
|
|
|
|
|
|
# Sublcass OpenStackConfig in order to munge config values
|
|
# before auth plugins are loaded
|
|
class OSC_Config(config.OpenStackConfig):
|
|
|
|
# TODO(dtroyer): Once os-client-config with pw_func argument is in
|
|
# global-requirements we can remove __init()__
|
|
def __init__(
|
|
self,
|
|
config_files=None,
|
|
vendor_files=None,
|
|
override_defaults=None,
|
|
force_ipv4=None,
|
|
envvar_prefix=None,
|
|
secure_files=None,
|
|
pw_func=None,
|
|
):
|
|
ret = super(OSC_Config, self).__init__(
|
|
config_files=config_files,
|
|
vendor_files=vendor_files,
|
|
override_defaults=override_defaults,
|
|
force_ipv4=force_ipv4,
|
|
envvar_prefix=envvar_prefix,
|
|
secure_files=secure_files,
|
|
)
|
|
|
|
# NOTE(dtroyer): This will be pushed down into os-client-config
|
|
# The default is there is no callback, the calling
|
|
# application must specify what to use, typically
|
|
# it will be osc_lib.shell.prompt_for_password()
|
|
if '_pw_callback' not in vars(self):
|
|
# Set the default if it doesn't already exist
|
|
self._pw_callback = None
|
|
if pw_func is not None:
|
|
# Set the passed in value
|
|
self._pw_callback = pw_func
|
|
|
|
return ret
|
|
|
|
def _auth_select_default_plugin(self, config):
|
|
"""Select a default plugin based on supplied arguments
|
|
|
|
Migrated from auth.select_auth_plugin()
|
|
"""
|
|
|
|
identity_version = config.get('identity_api_version', '')
|
|
|
|
if config.get('username', None) and not config.get('auth_type', None):
|
|
if identity_version == '3':
|
|
config['auth_type'] = 'v3password'
|
|
elif identity_version.startswith('2'):
|
|
config['auth_type'] = 'v2password'
|
|
else:
|
|
# let keystoneauth figure it out itself
|
|
config['auth_type'] = 'password'
|
|
elif config.get('token', None) and not config.get('auth_type', None):
|
|
if identity_version == '3':
|
|
config['auth_type'] = 'v3token'
|
|
elif identity_version.startswith('2'):
|
|
config['auth_type'] = 'v2token'
|
|
else:
|
|
# let keystoneauth figure it out itself
|
|
config['auth_type'] = 'token'
|
|
else:
|
|
# The ultimate default is similar to the original behaviour,
|
|
# but this time with version discovery
|
|
if not config.get('auth_type', None):
|
|
config['auth_type'] = 'password'
|
|
|
|
LOG.debug("Auth plugin %s selected" % config['auth_type'])
|
|
return config
|
|
|
|
def _auth_v2_arguments(self, config):
|
|
"""Set up v2-required arguments from v3 info
|
|
|
|
Migrated from auth.build_auth_params()
|
|
"""
|
|
|
|
if ('auth_type' in config and config['auth_type'].startswith("v2")):
|
|
if 'project_id' in config['auth']:
|
|
config['auth']['tenant_id'] = config['auth']['project_id']
|
|
if 'project_name' in config['auth']:
|
|
config['auth']['tenant_name'] = config['auth']['project_name']
|
|
return config
|
|
|
|
def _auth_v2_ignore_v3(self, config):
|
|
"""Remove v3 arguemnts if present for v2 plugin
|
|
|
|
Migrated from clientmanager.setup_auth()
|
|
"""
|
|
|
|
# NOTE(hieulq): If USER_DOMAIN_NAME, USER_DOMAIN_ID, PROJECT_DOMAIN_ID
|
|
# or PROJECT_DOMAIN_NAME is present and API_VERSION is 2.0, then
|
|
# ignore all domain related configs.
|
|
if (config.get('identity_api_version', '').startswith('2') and
|
|
config.get('auth_type', None).endswith('password')):
|
|
domain_props = [
|
|
'project_domain_id',
|
|
'project_domain_name',
|
|
'user_domain_id',
|
|
'user_domain_name',
|
|
]
|
|
for prop in domain_props:
|
|
if config['auth'].pop(prop, None) is not None:
|
|
LOG.warning("Ignoring domain related config " +
|
|
prop + " because identity API version is 2.0")
|
|
return config
|
|
|
|
def _auth_default_domain(self, config):
|
|
"""Set a default domain from available arguments
|
|
|
|
Migrated from clientmanager.setup_auth()
|
|
"""
|
|
|
|
identity_version = config.get('identity_api_version', '')
|
|
auth_type = config.get('auth_type', None)
|
|
|
|
# TODO(mordred): This is a usability improvement that's broadly useful
|
|
# We should port it back up into os-client-config.
|
|
default_domain = config.get('default_domain', None)
|
|
if (identity_version == '3' and
|
|
not auth_type.startswith('v2') and
|
|
default_domain):
|
|
|
|
# NOTE(stevemar): If PROJECT_DOMAIN_ID or PROJECT_DOMAIN_NAME is
|
|
# present, then do not change the behaviour. Otherwise, set the
|
|
# PROJECT_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
|
|
if (
|
|
auth_type in ("password", "v3password", "v3totp") and
|
|
not config['auth'].get('project_domain_id') and
|
|
not config['auth'].get('project_domain_name')
|
|
):
|
|
config['auth']['project_domain_id'] = default_domain
|
|
|
|
# NOTE(stevemar): If USER_DOMAIN_ID or USER_DOMAIN_NAME is present,
|
|
# then do not change the behaviour. Otherwise, set the
|
|
# USER_DOMAIN_ID to 'OS_DEFAULT_DOMAIN' for better usability.
|
|
# NOTE(aloga): this should only be set if there is a username.
|
|
# TODO(dtroyer): Move this to os-client-config after the plugin has
|
|
# been loaded so we can check directly if the options are accepted.
|
|
if (
|
|
auth_type in ("password", "v3password", "v3totp") and
|
|
not config['auth'].get('user_domain_id') and
|
|
not config['auth'].get('user_domain_name')
|
|
):
|
|
config['auth']['user_domain_id'] = default_domain
|
|
return config
|
|
|
|
def auth_config_hook(self, config):
|
|
"""Allow examination of config values before loading auth plugin
|
|
|
|
OpenStackClient will override this to perform additional chacks
|
|
on auth_type.
|
|
"""
|
|
|
|
config = self._auth_select_default_plugin(config)
|
|
config = self._auth_v2_arguments(config)
|
|
config = self._auth_v2_ignore_v3(config)
|
|
config = self._auth_default_domain(config)
|
|
|
|
if LOG.isEnabledFor(logging.DEBUG):
|
|
LOG.debug("auth_config_hook(): %s",
|
|
strutils.mask_password(six.text_type(config)))
|
|
return config
|
|
|
|
def load_auth_plugin(self, config):
|
|
"""Get auth plugin and validate args"""
|
|
|
|
loader = self._get_auth_loader(config)
|
|
config = self._validate_auth(config, loader)
|
|
auth_plugin = loader.load_from_options(**config['auth'])
|
|
return auth_plugin
|
|
|
|
def _validate_auth_ksc(self, config, cloud, fixed_argparse=None):
|
|
"""Old compatibility hack for OSC, no longer needed/wanted"""
|
|
return config
|
|
|
|
def _validate_auth(self, config, loader, fixed_argparse=None):
|
|
"""Validate auth plugin arguments"""
|
|
# May throw a keystoneauth1.exceptions.NoMatchingPlugin
|
|
|
|
plugin_options = loader.get_options()
|
|
|
|
msgs = []
|
|
prompt_options = []
|
|
for p_opt in plugin_options:
|
|
# if it's in config, win, move it and kill it from config dict
|
|
# if it's in config.auth but not in config we're good
|
|
# deprecated loses to current
|
|
# provided beats default, deprecated or not
|
|
winning_value = self._find_winning_auth_value(p_opt, config)
|
|
if not winning_value:
|
|
winning_value = self._find_winning_auth_value(
|
|
p_opt, config['auth'])
|
|
|
|
# if the plugin tells us that this value is required
|
|
# then error if it's doesn't exist now
|
|
if not winning_value and p_opt.required:
|
|
msgs.append(
|
|
'Missing value {auth_key}'
|
|
' required for auth plugin {plugin}'.format(
|
|
auth_key=p_opt.name, plugin=config.get('auth_type'),
|
|
)
|
|
)
|
|
|
|
# Clean up after ourselves
|
|
for opt in [p_opt.name] + [o.name for o in p_opt.deprecated]:
|
|
opt = opt.replace('-', '_')
|
|
config.pop(opt, None)
|
|
config['auth'].pop(opt, None)
|
|
|
|
if winning_value:
|
|
# Prefer the plugin configuration dest value if the value's key
|
|
# is marked as depreciated.
|
|
if p_opt.dest is None:
|
|
config['auth'][p_opt.name.replace('-', '_')] = (
|
|
winning_value)
|
|
else:
|
|
config['auth'][p_opt.dest] = winning_value
|
|
|
|
# See if this needs a prompting
|
|
if (
|
|
'prompt' in vars(p_opt) and
|
|
p_opt.prompt is not None and
|
|
p_opt.dest not in config['auth'] and
|
|
self._pw_callback is not None
|
|
):
|
|
# Defer these until we know all required opts are present
|
|
prompt_options.append(p_opt)
|
|
|
|
if msgs:
|
|
raise occ_exceptions.OpenStackConfigException('\n'.join(msgs))
|
|
else:
|
|
for p_opt in prompt_options:
|
|
config['auth'][p_opt.dest] = self._pw_callback(p_opt.prompt)
|
|
|
|
return config
|